Add Kconfig option to lock/unlock ME firmware during build

For reasons of security and testing we want to be able to enable/disable ME section locking through a config option. Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f Signed-off-by: Stefan Reinauer <reinauer@google.com> Reviewed-on: http://review.coreboot.org/1798 Tested-by: build bot (Jenkins) Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
author: Stefan Reinauer <reinauer@chromium.org> 2012-10-31 17:30:13 -0700
committer: Ronald G. Minnich <rminnich@gmail.com> 2012-11-13 18:24:06 +0100
commit: 7004b7c9e61640f1e7e7bf9043bf7b2a8603d956 (patch)
tree: 0d59a8d0dd30f16f30754f5fb5a07b29b02f6376 /src/southbridge/intel/bd82x6x/Kconfig
parent: 1bfbbc0d8f68b43af7ccda1dde796ed15950c508 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 7634b801ff..e330fb4382 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -58,4 +58,17 @@ config HPET_MIN_TICKS
 	hex
 	default 0x80
 
+config LOCK_MANAGEMENT_ENGINE
+	bool "Lock Management Engine section"
+	default n
+	help
+	  The Intel Management Engine supports preventing write accesses
+	  from the host to the Management Engine section in the firmware
+	  descriptor. If the ME section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME firmware is no longer going to change.
+
+	  If unsure, say N.
+
 endif
author	Stefan Reinauer <reinauer@chromium.org>	2012-10-31 17:30:13 -0700
committer	Ronald G. Minnich <rminnich@gmail.com>	2012-11-13 18:24:06 +0100
commit	7004b7c9e61640f1e7e7bf9043bf7b2a8603d956 (patch)
tree	0d59a8d0dd30f16f30754f5fb5a07b29b02f6376 /src/southbridge/intel/bd82x6x/Kconfig
parent	1bfbbc0d8f68b43af7ccda1dde796ed15950c508 (diff)